The Center for Strategic and International Studies (CSIS) released a report Wednesday analyzing the risk of increasing communications encryption in the private sector and found that it could not report data suggesting the risk is unbearable thus far to law enforcement.
The report, The Effect of Encryption on Lawful Access to Communications and Data, looks at why personal communications encryption has been increasing, how it affects law enforcement and intelligence agency activities/investigations, and what techniques can help mitigate the downsides of increasing encryption while larger policy solutions remain unresolved.
In 2000 the United States government removed restrictions on the sale of strong encryption to make the internet safer and help the country gain economically, the report says. However, in more recent years and following the Edward Snowden revelations, increased interest in protecting personal information has created a demand for unrecoverable encryption products so companies are increasingly offering that option.
Regular encryption products usually include recovery mechanisms because customers want features including regaining access to an account if one forgets their password, easily searched historical data, and link devices and applications across platforms. The newer privacy concerns are pushing unrecoverable encryption. International actors are also pushing towards unrecoverable encryption with perceptions that the U.S. has inadequate constrains, little transparency, and no oversight on U.S. intelligence agencies concerning American products, the report said.
Unrecoverable encryption provides options like separate encryption keys for individual messages in an application so a company can tell its users it will not only secure user data but their methods make it technically impossible to cooperate with government requests.
The report noted that “It is in the national interest to encourage the use of strong encryption. No one we interviewed in law enforcement or the intelligence community disagreed with this.”
However, instant messaging and full disk unrecoverable encryption make it increasingly difficult for law enforcement and intelligence agencies to conduct lawfully investigations.
The report found 18 percent of global communications traffic is currently end-to-end encrypted and that is estimated to rise up to 22 percent by 2019. Over 50 percent of total internet traffic has also become encrypted in 2016. However, law enforcement mostly cares about email, chat, voice communications, videos communications, and file sharing. Those combined make up less than 10 percent of total internet traffic in North America, CSIS said.
Additionally, 47 percent of all mobile devices in the U.S. have full disk encryption
James Baker, general counsel at the FBI emphasized how this increasing problem is weighing on law enforcement at a CSIS event when the report was released Wednesday.
From October to December 2016 a total of 2,870 devices were brought to the FBI for a forensic exam. Of those devices, 1,715 had password protection and 470 of the password-protected devices were defeated. That meant the FBI was unable to access 43 percent of the total devices in that “admittedly small snapshot of data,” Baker said.
The report said trends increasing the use of unrecoverable encryption may increase the risk to public safety, but CSIS could not find any data suggesting the risk is unbearable. Its main conclusion is that the benefits of mandating access to encrypted data would not outweigh the costs and while law enforcement has legitimate issues, the magnitude of the challenge is not yet significant enough to justify decryption mandates.
CSIS said the main problem in mandating recoverability is that it is costly, complex to implement, would affect the ability of firms to sell overseas, and is unlikely to fully deliver public safety aims because malicious actors could still use non-U.S. encryption products and open source tools.
The report also pointed out that the debate has generally become framed in zero sum terms of privacy and security versus law enforcement’s ability to stop terrorists and criminals. Although mandating recoverability is not called for yet, it said claims that blocking unrecoverable encryption as unacceptably damaging to cybersecurity are also overstated. CSIS cited how intelligence agencies and corporations secure classified and sensitive data using recoverable encryption allowing for plaintext recovery.